How to Boost Your Search Rankings With An SSL

Why You Should Have an SSL Certificate

Have you been thinking about adding SSL security to your website? Have you been hesitating because it seems too complicated and expensive? Really, it’s neither. Half the traffic on the Web now goes over HTTPS / SSL connections, and it’s constantly growing. It’s not terribly difficult, even for a small business.

History of SSL, TLS, and HTTPS

The Web was originally designed for communication, not security. A request and its response travel through multiple routers, which aren’t necessarily trustworthy. They can read and even alter anything that passes through them. They can steal passwords, add scripts, or censor information.

As the Web grew, it became obvious that secure communication was necessary. In 1994, Netscape created the Secure Sockets Layer (SSL) to support encrypted communication on the Web. It let a browser communicate securely with a server, even if the two parties didn’t know each other. The HTTPS protocol sends requests and responses over SSL, keeping them safe from any “man in the middle.”

SSL has gone through a series of revisions over the years to improve its security. In 1999 the Internet Engineering Task Force (IETF) took over the standard, renaming it Transport Layer Security (TLS). Strictly speaking, SSL is obsolete, but the term is still widely used. The data document which lets a site transfer data over TLS is still almost always called an “SSL certificate.” We’ll stick with that usage here.

Why SSL is important

The most obvious reason for using SSL (TLS) is to protect confidential information in transit. Snoopers shouldn’t be able to intercept passwords, credit card numbers, and other data that needs to be kept secret. With widespread use of public Wi-Fi, this is more important than ever. Anyone with some simple equipment can intercept communications near a public Wi-Fi hotspot. The hotspot itself may belong to a criminal using it to collect personal information. There’s no easy way to tell a legitimate one from a malicious one.

Even owners of sites that don’t deal in personal information should consider using SSL. There are actually four benefits that it offers:

  • Authentication. It confirms that the response actually comes from the site it claims to come from (i.e., that no one else has hijacked the connection).
  • Non-repudiation. A third party can confirm that a message came from a given source without the originator’s cooperation.
  • Integrity. The information can’t be altered in transit without making the attempt obvious.
  • Confidentiality. No one else can read the information transferred.

Integrity is important even if confidentiality isn’t. An intermediary can alter data over an insecure connection. This is a concern for every site, whether they handle confidential data or not There can be several motives for modifying data in transit:

  • Censoring information. An autocratic government may want to block unfavorable news.
  • Adding false information or other content. Someone might want to deceive the recipient, engage in “hacktivism,” or damage a site’s reputation.
  • Inserting malicious scripts. Unauthorized JavaScript can make viewers download malware or redirect them to another site.
  • Modifying links. Changing a link on a page could send the user to a malicious site or steal form data.

How it works

An SSL certificate is a small data file which establishes a site’s cryptographic identity. More formally, it’s called an X.509 certificate. It uses the Public Key Infrastructure (PKI) to set up secure communication with a browser. This approach uses two digital keys which are paired together. The private key is stored only on the website’s host. The public key is included in the certificate, which is available to anyone to view.

To get a certificate, a website’s owner has to generate a private key and a certificate signing request (CSR). From here there are two options.

The cheap option is to self-sign the certificate. This costs nothing and it allows encryption, but it provides no authentication. Someone coming in with a browser has no assurance that someone else hasn’t taken over your domain or intercepted and changed the data packets. Anyone else can create a self-signed certificate and claim it’s from your domain. It’s of little value outside of personal and test sites.

The useful option is to get a signed certificate. This requires submitting the CSR to a certificate authority (CA), which will generate a digitally signed certificate. It says that the CA has confirmed that the certificate actually belongs to your domain. A signed certificate provides authentication as well as encryption.

But wait. How do you know that the CA is who it claims to be? The answer is that the CA can have its own certificate signed. All certificates, to be generally accepted, have to follow a chain of certificates back to a trusted (root) CA. A trusted CA’s certificate is widely available, and browsers ship with a set of root certificates from them.

Setting up the server

To use the certificate, a site needs an SSL-capable server. Most modern server, including Apache, Nginx, and IIS, support SSL. Each one has its own method of installing the certificate.

It’s vital to keep the private key strictly confidential. Anyone who grabs it can intercept all secure communications. At the same time, it needs to be safely backed up, in case it ever needs to be restored.

SSL will protect only information that’s accessed through an HTTPS URL. If a site was previously using HTTP URLs, it’s necessary to change them to use HTTPS. The old URLs should forward to the new ones, both to avoid breaking links and to help people who are too lazy to type “https://”.

The server needs to use an up-to-date version of TLS — and here, the difference between SSL and TLS is important. The old versions, designated as SSL, have known weaknesses. So does TLS 1.0, which is basically the same as SSL 3.0. An attacker with enough computing resources can break the encryption. A website needs to use TLS 1.1 or later to have good security.

Getting your certificate

Obtaining an SSL certificate isn’t complicated or expensive when you get it from us. OrangeWebsite’s options range from the simple, economical RapidSSL to strongly validated, multidomain certificates. Whether you use our domain hosting or another host, we offer installation service and stand by our certificates. You can get a validated certificate at annual prices starting from:

  • RapidSSL Standard (simple and available in minutes): €29.80 / $31.92
  • Comodo InstantSSL (business validation): €73.60 / $78.84
  • Comodo Multidomain EV (extended validation): €565.00 / $749.00
  • RapidSSL Wildcard (unlimited subdomains): €134.70 / $144.29
  • Comodo EV (single domain, extended validation, $250,000 warranty): €298.80 / $320.07

Prices may vary with currency fluctuations. Contact us if you have any questions.